AD-A172  285 
UNCLASSIFIED 


RELIABILITY  AS  A  FUNCTION  OF  FATIGUE  CONPLEXITY  AND 
REDUNDANCY :  A  NATHENATICAL  ANALVSIS(U)  DIRECTORATE  OF 
AEROSPACE  STUDIES  KIRTLAND  AFB  NH  B  J  HANZ  OCT  85 
DAS-DR-85-7  F/G  1271 


1/1 


AD-A172  285 


DAS-DR-85-7 


DAS-DR-85-7 


-**1*  <*1  Wi.  *V_TY  <V  1 


INTERNAL  REPORT 

RELIABILITY  AS  A  FUNCTION  OF 
FATIGUE,  COMPLEXITY 
AND  REDUNDANCY 

A  MATHEMATICAL  ANALYSIS 

OCTOBER  1985 


DR  BRUNO  J.  MANZ 


APPROVED  FOR  PUBLIC  RELEASE 
DISTRIBUTION  IS  UNLIMITED 


II c 

SEP  2  3 1986 


A 


DIRECTORATE  OF  AEROSPACE  STUDIES 
DCS/PLANS  AND  PROGRAMS,  HQ  AFSC 
KIRTLAND  AFB,  NEW  MEXICO  87117-5000 


The  work  recorded  in  this  report  was  performed  in  support  of 
the  On-Orbit  Maintenance  and  Repair  Study  which  was  conducted  by 
this  Oi rectorate  for  HQ  AFSC  in  1985.  The  initiative  to  this 
report,  and  also  some  of  the  ideas,  are  due  to  the  Study  Director, 
Christopher  A.  Feuchter. 

8RUN0  J.  MANZ  ^  ^ 

Chief,  Studies  and  Evaluation  Oivision 
Directorate  of  Aerospace  Studies 


This  report  has  been  reviewed  and  approved  for  publication. 


1 1  u.  tbl—udhy 


KENNETH  iJ.  SMITH 

Technical  Director  of  Aerospace  Studies 


/  /'In  •-  tT 

PAUL  S.  BRITT,  Colonel,  USAF 
Director  of  Aerospace  Studies 


If 


I 


REPORT  DOCUMENT ATION  PAGE 


SECURITY  CLASSIFICATION  OF  THIS  PAGE 


7*.  REPORT  security  CLASSIFICATION 

UNCLASSIFIED _ 


St.  SECURITY  CLASSIFICATION  AUTHOFITV 


2b.  Q£ CLASSIFICATION/ DOWNGRADING  SCHEDULE 


4.  PERFORMING  ORGANIZATION  REPORT  NUMBERlS) 

DAS-0R-85-7 


te  NAME  OF  PERFORMING  ORGANIZATION 

Directorate  of  Aerospace  Stu 


6c.  AOORESS  (City.  State  and  ZIP  Cod*) 

Kirtland  AFB,  NM  87117-5000 


3.  oistribution/availability  of  report 

Approved  for  public  release; 
Distribution  is  unlimited. 


S.  MONITORING  ORGANIZATION  REPORT  NUMBERlS) 


7a.  NAME  OF  MONITORING  ORGANIZATION 


7b.  AOORESS  (City.  Slat *  and  ZIP  Codti 


•a.  NAME  OF  FUNOING/SPONSORING 
ORGANIZATION 


8b.  OFFICE  SYMBOL  9.  PROCUREMENT  INSTRUMENT  IDENTIFICATION  NUMBER 
(If  applicable/ 


Be  AOORESS  iCity.  Statt  and  ZIP  Coda) 


to.  SOURCE  OF  FUNDING  NOS. 


PROGRAM 

element  no. 


11.  TITLE  'Include  Security  Clautflcationi  j 

Reliability  as  a  Function  of  Fatigue,  Complexity  and  Redu 


12.  PERSONAL  AUTHOR(S) 

Dr  Bruno  J.  Manz 


13a.  TYPE  OF  REPORT  13b.  TIME  COVEREO  14.  OATE  OF  REPORT  (Yr..  Mo..  Day) 

Methodology  Report  from  Jan  85  tq  Qct  85  October  1985 


15.  page  COUNT 

57 


COSATI  COOES 


n 


FICLO  I  GROUP 


18.  SUBJECT  TERMS  i Continue  on  reuene  if  necestary  and  identify  by  block  numben 

Complexity  Mean  time  before  failure 

Criticality  Redundancy 

Fatigue  Reliability 


19.  ABSTRACT  rContimi*  on  reverie  if  nice— ary  and  identify  by  block  number i 


-JThis  is  a  mathematical  analysis  of  the  reliability  concept  and  two  kinds  of  reliability 
functions:  The  exponential  and  the  Weibull  distribution.  Both  functions  are  analyzed 
with  respect  to  the  following  four  determinants  of  reliability: 

1.  System  complexity, 

2.  Subsystem  critical ity; 

3.  Subsystem  redundancy ;  .... *  1 2 3 4 

4.  Fatigue  , 

Appropriate  formulas  describing  these  agencies  are  developed,  and  their  implications  are 
discussed. 


20.  OISTRIBUTION/AVAILABILITY  of  abstract 
UNCLASSIFIEO/UNLIMITEO  G  same  AS  RPT  £  OTIC  USERS  G 


S3*.  NAME  OF  RESPONSIBLE  INOIVIOUAL 


21.  ABSTRACT  SECURITY  CLASSIFICATION 


UNCLASSIFIED 


Dr  Bruno  J.  Manz 


DO  FORM  1473,  83  APR 


22b  TELEPHONE  NUMBER 
i Include  Area  Codei 

(505)  844-0756 


22c  OFFICE  SYMBOL 


EDITION  OP  1  JAN  73  IS  OBSOLETE. 


AFCMO/SAT 


_ UNCLASSIFIED _ 

SECURITY  CLASSIFICATION  OF  THIS  PAGE 


.  rmjL  fcA  m>  n  t  .  a  .ju  « 


.jV  .1.H  ■>«  JlV«I  ■*l  <»fyi/>.J)t/ri’l.ll>.lt>.ll<.tl l,r  1,^1 , *,«' 


MCUniTY  CLASSIFICATION  OF  THIS  FA  OS 


(THIS  PAGE  INTENTIONALLY  LEFT  BLANK) 


UNCLAS 


l 


at  nw  wfwwwff'r.fi 


SSCUAlTV  CLASSIFICATION  OF  THIS  FAQ* 

-V  .  «  L  •  .  ...  J»  4>  *>  \  *  i  -  *  ■  * 


TABLE  OF  CONTENTS 


SECTION  PAGE 


PREFACE 

1 

INTRODUCTION 

1 

2 

RECAPITULATION  JF  SOME  BASIC  FORMULAS 

FROM  THE  THEORY  OF  RELIABILITY 

■7 

3 

FATIGUE 

11 

4 

COMPLEXITY 

25 

5 

REDUNDANCY 

31 

6 

COMPLEXITY  AND  REDUNDANCY  COMBINED 

39 

\ 

7 

RELATED  TOPICS 

43 

55 


3 


SUMMARY 


y 


(THIS  PAGE  INTENTIONALLY  LEFT  liLANK) 


1.  INTRODUCTION 


Tne  reliability  of  a  system  is  a  function  of  many  factors.  The 
most  important  factors  which  we  call  "determinants"  are  listed  below. 

Determinants 


a.  System  Complexity 

o.  Subsystem  Criticality 

c.  Subsystem  Redundancy 

d.  Proclivity  to  Fatigue 
A  brief  discussion  follows. 

a.  Complexity 

Given  that  the  subsystems  of  systems  A  and  3  nave  equal 
complexity,  system  A  is  more  complex  than  System  3  if  A  has  more 
subsystems  than  3.  In  this  case  complexity  can  be  measured 
directly  in  terms  of  the  number  of  subsystems  N  to  which  we  refer 
as  the  "complexity  index". 

b.  Critical ity 

Every  subsystem  has  a  certain  criticality  with  regard  to 
either  the  system  or  the  mission.  Subsystem  A  has  higher  critical¬ 
ity  than  subsystem  3  if  failure  of  A  has  a  stronger  negative  effect 
on  the  system  or  the  mission  than  failure  of  3. 


c.  Redundanc 


A  given  subsystem  has  redundancy  r  if  it  nas  r  spares,  that 
is,  if  there  are  altogether  r  +  1  subsystems  of  the  given  kind.  If 
r  =  0,  there  is  no  spare  and,  consequently,  there  is  no  redundancy. 
If  r  -  1,  there  is  one  spare,  that  is,  two  subsystems  of  one  kind. 
The  redundancy  index  r  can  assume  nonnegative  integer  values  and 
is,  at  least  in  principle,  unlimited  on  the  upside. 

d.  Fatigue 


This  is  the  most  difficult  concept  to  explain  without  the 
aid  of  mathematics.  Another  word  for  "fatigue"  is  "aging".  We 
believe  that  fatigue,  or  aging,  is  the  only  cause  of  failure;  in 
other  words,  we  cannot  think  of  anotner  cause.  But  we  shall  show 
that  there  are  two  distinct  mathematical  ways  to  describe  the 
phenomenon  of  failure,  leading  to  two  categories  of  systems  which 
we  call  systems  of  Type  1  and  Type  2.  The  corresponding  concepts 
most  frequestly  used  in  the  literature  are  "exponential  distribution" 
and  "Weioull  distribution".  In  Section  3,  we  analyze  tne  implications 
of  both  system  types  or  distributions. 

The  primary  subjects  of  the  present  report  are  complexity  and 
redundancy.  However,  when  dealing  with  subjects  of  reliability, 
one  can  hardly  ignore  fatigue.  This  is  the  reason  why  we  precede 
the  sections  on  complexity  and  redundancy  with  a  section  on  fatigue. 

Criticality  was  addressed  in  considerable  detail  in  Reference  I. 
There  will  also  be  some  cryptic  remarks  on  criticality  in  Section  4. 
However,  most  of  the  material  offered  in  Reference  1  will  not  be  re¬ 
peated  in  the  present  report,  except  for  some  mathematical  techniques 
which  will  facilitate  the  exposition  of  some  ideas  presented  later  on. 


Ref  1.  Bruno  J.  Manz,  Topics  from  the  Theory  of  Reliability,  HAS-  j 

WP-77-5,  July  1977,  Unclassified.  ' 

i 

2 


2.  RECAPITULATION  OF  SOME  BASIC  FORMULAS  FROM  THE  THEORY  OF  RELIABILITY 


In  the  present  section,  we  limit  the  consideration  to  a  single  sud- 
system.  Therefore,  the  suojects  of  complexity  and  redundancy  do  not  yet 
arise.  By  skillful  maneuvering,  we  may  also  avoid  the  subject  of  fatigue. 

We  assume  that  the  subsystem  is  new  when  it  is  put  into  opera¬ 
tion  at  the  time  zero. 

definitions 


F(t)  =  Failure  probability,  more  precisely,  tne  probability 
that  the  subsystem  will  fail  within  the  time  interval  from  zero  to  t. 

R(t)  =  Reliability,  more  precisely,  the  probability  that 
the  suDsystem  will  not  fail  within  the  time  interval  from  zero  to  t. 

From  these  definitions  follows  that 

F(  t  '■  +  R(t)  =  1  (2.1) 

To  model  these  two  functions,  we  concentrate  on  one  of  them,  say, 
F(t).  It  is  reasonable  to  assume  that  this  function  has  the  follow¬ 
ing  properties: 

1.  F(Q)  =  0 

2.  F(oo  )  =  1 
dF 

3.  —  >  0  (0  <  t  <  cd  )  (2.2) 

dt 

dF 

4.  —  =  0  (t  =  oo  ) 

dt 


3 


Conditions  1  and  2  are  self-evident.  Condition  3  assures  mono- 
tonicity.  Condition  4  mandates  asymptotic  approacn  to  the  maximum 
value  F(oo)  =  1  as  t  joes  to  infinity. 


Conspicuously  absent  is  the  condition 


dF 

5.  —  =  0 

dt 


(t  =  0) 


(2.3) 


which  we  nevertheless  wish  to  codify  for  the  purpose  of  later 
discussion. 

The  four  conditions  (2.2)  are  satisfied  by  the  following 
differential  equation: 


dF  =  (1  -  F)  g(t)  dt 


(2.4) 


This  equation  makes  the  differential  dF  proportional  to  the  differ¬ 
ential  dt  and  the  factor  (1  -  F).  For  generality,  the  proportion¬ 
ality  factor  g(t)  is  still  a  function  of  the  time.  The  proportion¬ 
ality  of  dF  to  dt  is  mandated  by  the  calculus  of  differentiation. 
The  proportionality  of  dF  to  (1  -  F)  is  mandated  by  Conditions  2 


and  4. 


Condition  3  mandates  that 


y(t)  >  0 


(0  <  t  <  oo) 


(2.5) 


Condition  1  will  be  satisfied  by  proper  selection  of  the  integration 
constant. 


Integration  of  Equation  (2.4)  then  yields 


F(t)  =  1  -  A  Exp  {  -  G(t)  } 


(2.6) 


-•  >  -•  .*  /. . 


whera,  A  is  the  integration  constant,  and  G(t)  is  defined  as  follows: 
U(t)  =  f  y(t)  dt  <2.7 a 

or 


dG 

g(t)  =  —  (2.70) 

dt 

Witn  Equation  (2.6),  the  original  function  g(t)  is  replaced  oy 
the  function  G(t).  Since  both  functions  are  still  laryely  unspecified, 
the  replacement  is  purely  formal.  However,  there  are  two  conditions 
which  affect  G(t).  First,  condition  (2.5)  now  reads 

dG 

—  >  0  (0  <  t  <  oo)  (2.3) 

dt 

Second,  Condition  1  has  the  consequence  that 

% 

0  =  1  -  A  Exp  {  -  G  (0) )  (2.3) 

Since  this  equation  contains  two  constants,  A  and  G(0),  one  of  them 
is  freely  selectible.  We  select 

G(0)  =  0  (2.10) 

This  yields  A  =  1.  Equation  (2.6)  then  assumes  the  form 

F(t)  -  1  -  Exp  {  -  G(t) }  (2.111 

Of  course,  the  reliability  now  becomes 


R(t)  »  Exp  (  -  G(t) } 


(2.12) 


So  far,  we  h,3d  smooth  sailing,  thanks  to  avoiding  complete 
specification  of  the  function  G(t).  However,  it  is  obvious  that 
this  function  is  critical  to  the  theory  of  reliability.  It  is  also 
to  be  expected  that  it  bears  relevance  to  the  subject  of  fatigue. 
While  this  subject  will  be  addressed  in  the  next  section,  we  now 
consider  the  simplest  form  which  G(t)  may  assume.  Obviously,  that 
is  the  linear  form 

G(t)  =  ag  +  aj  t  [2. VI) 

From  (2.10)  then  follows  that  ag  =  0,  and  from  (2.8)  follows  that 
a^  >  0.  If  then  we  also  observe  that,  for  dimensional  reasons,  ait 
must  have  the  dimension  of  an  inverse  time,  we  may  write 


i 


Here,  x  is  a  characteristic  time  of  the  subsystem  which  wi 1 1  oe 
interpreted  shortly.  Equation  (2.13)  now  assumes  the  form 

t 

G(t)  =  -  (3.15) 


and  Equations  (2.11)  and  (2.12)  read 


F(t)  =  1 


(2.16a) 


R(t)  = 


(2.16b) 


Before  we  interpret  the  nature  of  the  characteristic  time  t  , 
we  provide  one  more  prerequisite.  To  that  end,  we  take  another  look 


6 


at  the  failure  probability  F(t).  Since  it  is  the  probability  of 
failure  within  the  finite  tine  interval  from  zero  to  t,  it  is 
cumulative.  This  is  expressed  by  the  fact  that  it  goes  monotonical ly 
and  asymptotically  to  one.  But  if  we  now  form  the  differential 


dF(t)  *  -  Exp 

t  . 


(2.17) 


we  see  that  this  is  a  probability  of  a  different  kind.  It  is  tne 
probability  of  failure  within  the  time  interval  dt  surrounding  the 
time  point  t.  And  since  dt  is  infinitesimal,  we  may  as  well  say 
that  dF(t)  is  the  probability  of  failure  £t  the  time  t.  Naturally, 
this  probability  is  infinitesimal.  If  now  we  multiply  dF(t)  by  t 
and  then  integrate  over  the  entire  time  interval  from  zero  to 
infinity,  we  obtain  the  expected  time  of  failure  or,  as  it  is  called, 
the  "Mean  Time  Before  Failure",  MT3F.  Hence  we  have 


■; 


t  dF(t) 


(2. IB) 


wnich  reads 


t/f  t  dt 


(2.19) 


For  later  purposes,  we  dwell  for  a  moment  on  the  method  of  how 
to  solve  the  integral.  To  that  end,  we  define  the  "moments" 


For  n  =  0  and  n  =  1 ,  we  have 


oo 

*<0  =  J  e-^T  it 
0 

oo 

rl i  s  J  e  dt 

0 

We  then  see  that  (2.19)  may  be  written  in  the  form 

Mi 

MTBF  =  — 


(2.21a) 


(2.21o) 


(2.22) 


We  also  note  that  the  integral  for  Mq  is  straightforward  and  yields 
-  T  (2.23) 

From  this  follows  that 


3x 


On  the  other  hand,  differentiation  of  Equation  (2.21a)  w.r.t.  t  yields 


e-t/i  tat 


8ecause  of  (2.21b)  and  (2.24),  this  reads 


(2.25) 


3 


Therefore,  Equation  {2.22)  yields 


MTBF  =  T  (2.27) 

This  is  an  operational  interpretation  of  the  characteristic  ti.net: 

It  is  the  Mean  Time  Before  Failure. 

If  we  set  t  *  0  in  Equation  (2.17),  we  get 

dF  1 

—  *  -  >  0  (t  *  0)  (2.28) 

dt  t 

If  we  compare  this  with  Equation  (2.3),  we  see  that  Condition  5  is 
NOT  satisfied.  This  is  one  of  the  reasons  why  we  separated  Condition 
5  from  Conditions^!  through  4  which,  indeed,  are  satisfied. 


(THIS  PAGE  INTENTIONALLY  LEFT  BLANK) 


3.  FATIGUE 


In  the  preceding  section,  we  selected  for  the  function  G(t) 
occuring  in  Equations  (2.11)  and  (2.12)  the  simplest  form  possible 
given  by  equation  (2.15).  For  the  purpose  of  further  discussion, 
we  write  this  function  now  in  the  more  yeneral  form 


The  corresponding  reliability  function  assumes  then  the  form 


R(t)  =  Exp 


(3.1b) 


Equation  (3.1a)  has  two  features,  one  formal,  and  one  substantive. 
The  formal  feature  is  the  subscript  of  tg.  We  did  this  to  facilitate 
the  following  discussion.  The  substantive  feature  is  the  exponents  . 
In  the  preceding  section,  this  exponent  assumed  the  value  one.  It 
appears  that  values  smaller  than  one  do  not  have  any  practical 
importance,  but  values  larger  than  one  do.  Therefore,  we  now  adopt 
the  following  terminology: 


If  S  *  1,  the  system  is  of  Type  1 
If  6>  1,  the  system  is  of  T.pe  2 

In  the  preceding  section,  we  dealt  exclusively  with  systems  of 
Type  1.  However,  in  the  literature,  notably  in  the  experimental ly 
oriented  literature,  we  frequently  finds  -  values  larger  than  one, 
that  is,  systems  of  Type  2.  The  terminology  most  frequently  used 
in  the  literature  is  as  follows: 


If  B  =  1,  Exponential  Distribution 
If  8  >  1,  Wei  bull  Distribution 


However,  we  prefer  our  own  terminology  because  it  focuses  on  the 
systems  rather  than  the  distribution  functions.  We  believe  that 
the  introduction  of  the  exponent  B  >  1  is  motivated  by  experience 
and  observation.  The  following  purely  theoretical  considerations 
support  this  belief. 

We  start  with  the  question:  What  is  essentially  the  difference 
between  systems  of  Type  1  and  Type  2?  In  preparation  of  the  answer, 
we  write  Equation  (3.1)  in  the  equivalent  form 


t 

G(t)  *  - 

t(t) 


with 


T(t) 


t  (3-  1) 


(3.2a) 


(3.2b) 


Here  we  replaced  the  constant  MTBF  ig  by  the  "time-dependent  MTBF" 
x(t).  Since  Equations  (3.2a)  and  (3.2b)  are  completely  equivalent 
to  Equation  (3.1a),  the  replacement  is  formal ,  not  substantive. 
Nevertheless,  we  shall  see  that  the  replacement  has  a  far-reaching 
heuristic  effect. 

The  time-dependent  MTBF  x(t)  is  shown  in  Figure  3-1  for  S  >  1. 

As  can  be  seen  from  this  figure  as  well  as  from  Equation  (3.2b), 
x( t )  becomes  infinite  for  t  =  0.  This  means  that  a  brand  new  system 
has  momentarily  an  infinite  MTBF.  And  this,  in  turn,  has  the  con¬ 
sequence  that  dF/dt  and  dR/dt  are  zero  for  t  =  0.  This  is  expressed 


in  a  deliberately  exaggerated  manner  in  Figures  3-2  and  3-3  by  t:ie 
horizontal  tangents  to  the  curves  F(t)  and  R(t)  at  t  =  0. 

That  the  horizontal  tangents  in  Figures  3-2  and  3-3  are  exaggerations 
follows  from  the  fact  that,  for 

1  <  3  <  2 


tnat  is,  (3-2)  <  0,  the  second  derivatives  of  F(t)  and  R(t)  go  to 
infinity  as  t  goes  to  zero.  In  other  words,  the  zeros  of  the  first 
derivatives  are  immediately  rescinded  by  the  infinities  of  the 
second  derivatives. 


We  now  note  that  systems  of  Type  2  satisfy  Condition  (2.3) 
(Condition  5),  whereas  systems  of  Type  1  do  not. 


As  the  time  increases  from  zero,  the  time  dependent  'ITBF  i(t) 
begins  a  monotonic  descent  from  oo  to  zero  which  it  reaches  asymptot¬ 
ically  as  t  approaches  infinity. 


T(B) 


FIGURE  3-1:  Time-lependent  MTBF 


13 


As  can  be  seen  from  Figure  3-1,  the  constant  tq  achieves  a 
trichotomy  of  the  time  scale  in  the  following  way: 


t  <  1 0 


t  =  TQ 


t  >  IQ 


x(t)  >  IQ 


x(t)  =  TQ 


x(t)  <  TO 


(3.3) 


For  a  more  elaborate  discussion  of  this  subject,  let  us  say  that 
the  system  is  "new"  if  t  <  tq,  and  that  it  is  "old"  if  t  >  x rj .  If 
we  then  compare  two  systems,  one  of  Type  1  and  one  of  Type  Z,  we 
arrive  at  the  following  conclusion:  If  the  systems  are  new,  the 
Type  1  system  has  the  smaller  MTBF  and  the  larger  failure  prooabi 1  it/; 
but  if  the  systems  are  old,  the  Type  2  system  has  the  smaller  MTBF 
and  the  larger  failure  probability.  This  finding  may  be  explained 
as  follows:  Type  2  systems  show  the  signs  of  aging  by  having  a 
time-dependent  MTBF .  In  contrast.  Type  1  systems  have  a  constant 
average  MTBF,  Thus  hiding  the  signs  of  aging.  Naturally,  when  the 
systems  are  new,  aging  is  not  yet  prevalent,  thus  naking  the  Type  Z 
system  less  prone  to  failure;  however,  when  the  systems  are  old, 
the  signs  of  aging  become  prevalent,  thus  making  Type  2  systems 
more  prone  to  failure.  These  findings  are  illustrated  in  Figures 
3-2  and  3-3.  They  will  be  corroborated  by  the  considerations  that 
fol low. 


WWW 


FIGURE  3-3.  Reliability  for  Type  1  and  Type  2  Systems 

( Exaggeration) 


15 


We  now  take  a  closer  look  at  the  way  in  which  systems  of  Type  1 
and  Type  2  behave  when  they  have  been  "aged"  by  a  period  of  previous 
operation.  To  this  end,  we  divide  cne  time  continuum  according  tj 
the  proverbial  trichotomy  of  past,  present,  and  future: 

t  <  ti  Past 

t  =  t^  Present  (3.4) 

t  >  tj  Future 

We  then  compare  the  same  system  in  two  different  states,  or 
situations. 

Situation  1:  The  Nonaged  System 

In  this  situation,  the  system  is  brand  new  at  the  present  time 
when  it  is  put  in  operation.  Uanted  is  the  reliability  at 
the  future  time  t  >  t^. 

Here  it  is  important  to  note  that  the  system  has  no  “history'1 
of  previous  operation.  Therefore,  the  reliability  curve  as  given 
by  Equation  (3.1b)  is  unaffected,  except  that  it  is  now  shifted  the 
distance  from  left  to  right.  If  we  denote  this  reliability  by 
R(t  -  t^) ,  we  have 


(t  >  ti ) 


(3.5) 


This  curve  has  exactly  the  same  shape  as  (3.1b).  This  is  illustrated 
in  Figure  3-4A  (3  3  1)  and  3-4B  (3  >  1)  where  R(t  -  t^)  has  at 
tj  +  At  the  same  value  as  R(t)  at  At. 


To  prepare  situation  2,  we  introduce  the  time 


Situation  2:  The  Aged  System 

In  this  situation,  trie  system  was  brand  new  at  the  past  time 
tQ,  at  wnicn  time  it  was  put  in  operation.  It  then  operated  free 
of  failure  until  the  present  time  t^.  Wanted  is  tne  reliability  at 
the  future  time  t  >  t^.  We  denote  this  reliability  by 

R  (t  -  t]_  |  t]_  -  t<j }  wnich  we  define  as  follows: 


R  {t  -  t\ 


probability  that  the  system  operates 
free  of  failure  from  tj  to  t  (t  >  t]_ ) , 
given  that  it  did  operate  free  of 
failure  from  t.j  to  tj  (t.j  <  t]_). 


To  derive  this  probability,  we  introduce  the  joint  probability 


R  {(tj  -  to)  fl  (t  -  to)  }  which  we  define  as  follows: 


R  { ( 1 1  ■  cu)  n  (t  -  to)  } 


=  Joint  probability  that  the 
system  operates  free  of  failure 
from  t.j  to  t^  and  from  tj  to  t 
(t0  <  tx  <  t) . 


Here  we  note  that,  because  of  the  provision  tQ  <  t^  <  t,  tne  propo¬ 
sition  of  failure  free  operation  from  tQ  to  t  imp! ies  the  proposition 
of  failure  free  operation  from  to  to  tj.  Therefore,  in  the  symbol 
R  {(t-[  -  to)  fl  (t  -  tQ)}  the  term  (t^  -  cq)  is  redundant,  and  we 


R  {(t!  -  to)  n  (t  -  to)}  -  R  (t  -  t0) 


(3.7) 


On  the  other  hand,  the  product  rule  of  the  calculus  of  probability 
decrees  that 


V1 


R  (Ui  -  t0)  n  (t  -  t0)}  =  a  (t  -  t0  !  ti  -  t0}  r  ( t ]_  -  t.j)  (3.3) 


If  then  we  combine  Equations  (3.7)  and  (3.8),  we  obtain 


*  (t  -  t0  |  tx  -  t0}  = 


R(t  -  t0) 


W ( t i  -  tg) 


(3.9) 


Here,  we  note  t.ne  following: 


Failure  free  operation  from  tg  to  t  is  the  same  as  failure  free 
operation  from  tg  to  t^  AND  from  t]^  to  t.  Therefore,  we  nave 


R  It  -  tg  I  t!  -  tg}  =  R  (( t]_  -  tg)  (1  (t  -  tL)  |  -  tg)  }  (3.10) 


And  here,  at  the  right  side,  we  note  that  the  proposition  of  failure- 
free  operation  from  tg  to  t^  is  redundant  because  it  is  already 
stated  in  the  condition  compartment.  Hence  we  also  nave 


8  iit\  -  tg)  fl  (t  -  tj)  |  t]_  -  tg}  =  R  (t  -  ti  i  t]_  -  tg)  (3.11) 


If  then  we  combine  Equations  (3.10)  and  (3.11),  we  obtain 


3  {t  -  tg  |  t]_  -  tg  }  *  R  (t  -  tj  |  ti  -  tg  j 


(3.12) 


And  if  we  substitute  this  into  Equation  (3.9),  we  obtain 


R  { t  -  tj_  |  ti  -  tg  }  = 


R(t  -  tg) 


RUi  -  tg) 


(3.13) 


We  now  nake  use  of  Equation  (3.1b).  According  to  this  equation, 
we  have 


19 


If  this  is  substituted  into  Equation  (3.13),  we  obtain 


R  { t  -  tj  |  tx  -  t0  }  =  Exp 


(t  -  t0)3  +  (t!  -  t0)3 


This  is  the  conditional  reliability  wanted  in  conjunction  with 
Situation  2. 


Before  we  go  ahead,  we  remind  the  reader  that  the  previous 
derivations  are  predicted  on  the  assumption 

tq  <  ti  <  t  '  (3. 

We  now  compare  systems  of  Type  1  and  Type  2.  For  systems  of 
Type  1,  that  is,  for  3=1,  Equations  (3.5)  and  (3.15)  assume  the 
form 


R  (t  -  t\)  =  Exp 


(3=1) 


(3.1 


R  {t  -  tx  |  tx 


(3=1)  (3.1! 


Hence  we  have  a  result  which  nay  or  may  not  surprise  the  reader: 


R  {t  —  tj_  |  tj  -  t0>  =  R(t  -  tj_) 


(3  =  1) 


(3.13) 


This  result  says  that,  for  systems  of  Type  1,  the  condition  of 
operation  during  the  previous  period  from  tg  to  is  completely 
irrelevant.  What  counts  is  only  that  the  system  was  still  func¬ 
tioning  at  the  time  t\  when  the  present  operation  began.  This  is 
illustrated  in  Figure  3-4A  for  6*1  where  the  curves  representing 
R(t  -  t^)  and  R(t  -  tj  |  tj  -  tg)  are  identical. 

Before  we  turn  to  systems  of  Type  2,  we  provide  the  following 
auxiliary  relation: 

(1  -  x)S  <  1  -  X6  (0  <  X  <  1;  3  >  1)  (3.19) 

This  relation  is  true  for  all  values  of  x  and  3  subject  to  the 
conditions  stated  in  the  parentheses;  for  example,  for  x  *  1/3  and 
6  *  3/2,  we  have 

(1  -  x)3  =  0.1925;  1  -  xS  =  0.4557  (3.20) 

We  then  compare  Equations  (3.5)  and  (3.15)  for  3  >  1.  We  assert 

that 


R(t  -  t]_)  >  R  Ct  -  t^  |  tj  -  tg  }  (  3  >  1)  (3.21) 

We  shall  prove  the  assertion  by  showing  that  it  leads  to  the  correct 
relation  (3.19).  To  that  end,  we  infer  in  conjunction  with  Equations 
(3.5)  and  (3.15)  that  the  assertion  (3.21)  implies  that 


(t  -  ti)S  (t  -  t0)S-  (t!  -  t0)3 


T0 


(  B>  1) 


(3.22) 


21 


This  becomes 


(t  -  t^3  <  (t  -  t0)3  -  (tL  -  tu)3  {  3  >  1)  (3.23) 

Here  we  observe  that 

(t  -  tx)  =  (t  -  t0)  -  (tt  -  t0) 

Relation  (3.23)  then  reads 

{(t  -  t0)  -  (tx  -  tg)}3  <  (t  -  t0)3  -  (tx  -  t0)3  (3  >  1)  (3.24) 

If  we  divide  this  relation  by  (t  -  tg)  and  introduce  the  abbreviation 


t  -  tg 

we  arrive  at  our  auxiliary  relation  (3. Id).  The  condition  for  x  is 
also  satisfied  since  it  follows  from  relations  (3.16)  and  (3.25) 
that 

0  <  x  <  1  (3.26) 

This  completes  the  proof  of  the  asserted  relation  (3.21). 

Relation  (3.21)  states  that  the  conditional  reliability  of  the 
aged  system  is  smaller  than  the  unconditional  reliability  of  the 
nonaged  system.  This  is  illustrated  in  Figure  3. 48  for  3  >  1  where 
the  curve  representing  R  {t  -  t^  )  t^  -  tg}  is  lower  than  the  curve 
R(t  -  tj). 


We  have  now  arrived  at  the  conclusion  that  systems  of  Type  2 
show  the  signs  of  aging,  whereas  systems  of  Type  1  hide  them.  The 
mathematical  mechanism  by  which  systems  of  Type  2  show  the  signs  of 


aging  is  the  exponent  3  >  1  or,  what  amounts  to  the  same,  the  time- 
dependent  MTBF  t( t ) .  The  mathematical  mechanism  by  whicn  Type  1 
systems  hide  the  signs  of  aging  is  the  exponent  3=1  or,  what 
amounts  to  the  same,  the  constant  MTBF  tq. 

However,  the  reader  may  still  have  questions.  For  example: 

a.  How  can  an  MTBF  be  time-dependent  if,  by  definition,  it 
is  a  time  average?  See  for  example.  Equation  (2.18). 

b.  If  Type  1  systems  do  not  age,  what  then  causes  them  to 

fail? 

c.  Is  it  possible  that  the  exponent  3  >  1  is  to  be  attributed 
to  other  determinants,  notably  complexity  and  redundancy? 

The  answer  to  Question  a  is  as  follows:  The  momentary  MTBF 
(t)  is  the  MTBF  which  the  system  would  display  if  it  remained  in 
its  momentary  state.  In  other  words,  if  we  have  two  values  of 
x(t),  say,  r(ti)  and  x(t2),  then  these  are  the  MTBFs  of  the  system 
in  two  different  states,  namely  the  states  which  the  system  assumes 
at  the  times  t^  and  t?,  respectively. 

The  second  question  is  deliberately  rhetorical.  We  do  not  say 
that  systems  of  Type  1  do  not  age;  we  merely  say  that  they  hide 
the  signs  of  aging.  This  leads  to  the  appearance  of  "spontaneous" 
failure,  that  is,  failure  without  cause.  A  little  example  will 
il lustrate  this. 

In  nuclear  physics,  we  have  the  spontaneous  decay  of  radioactive 
atoms  such  as  uranium  or  plutonium.  This  phenomenon  is  described 
"pnenomenological ly"  by  the  equation  of  radioactive  decay  which  has 
the  form 


Here,  Ng  and  N(t)  are  the  numbers  of  nondecayed  atoms  at  the  times 
zero  and  t,  respectively.  The  point  is  that  the  argument  of  the 
exponential  has  the  form 

G(t)  «  1 
T0 

with  8*1.  This  is  typical  of  events  which  happen  spontaneously, 
that  is,  without  cause.  However,  such  events  are  only  known  on  the 
atomic  scale.  The  systems  we  are  dealing  with  in  this  report, 
whether  they  are  systems  of  Type  1  or  Type  2,  are  not  atomic  systems, 
but  "thermodynamic"  systems,  that  is,  systems  consisting  of  very 
large  numbers  of  atoms.  Such  systems  do  not  fail  spontaneously, 
but  because  of  structural  fatigue.  These  are  the  reasons  why  we 
say  that  systems  of  Type  1  give  the  appearance  of  spontaneous 
failure,  and  that  they  hide  the  signs  of  aging. 

The  third  question  is  properly  answered  in  subsequent  sections. 

At  this  time,  we  content  ourselves  with  the  terse  remark  that 
Sections  4,  5,  and  6  will  show  that  complexity  and  redundancy  are 
properly  described  by  mathematical  means  other  than  an  exponent 
8  >  1  or  a  time-dependent  MTBF. 


immvtan 


4.  COMPLEXITY 


To  analyze  the  effect  of  complexity,  we  first  excluoe  redundancy. 
However,  there  is  no  need  to  exclude  Type  2  systems.  We  shall  there¬ 
fore  conduct  the  present  investigation  for  the  general  case  of  time- 
dependent  MTBFs. 


We  assume  that  all  subsystems  have  equal  and  total  criticality, 
that  is,  the  system  fails  as  soon  as  one  or  more  subsystems  fail. 
The  MTBF  of  the  i  th  subsystem  is  Tj(t).  Therefore,  the  failure 
probability  and  the  reliability  of  the  i  th  subsystem  have  the  form 


Fi (t)  = 


(4.1a) 


Rj(t)  *  Exp 


(4.1b) 


The  time-dependent  MTBF  is 


?i(t) 


(4.2) 


Here  the  reader  should  notice  that  this  equation  allows  for  different 
3-  values  for  different  subsystems. 

We  assume  that  the  system  consists  of  N  subsystems;  and  we 
refer  to  N  as  the  "complexity  index".  We  also  assume  that  the  N 
subsystems  are  independent  of  each  other.  In  this  case,  the  reli¬ 
ability  of  the  total  system,  R(t),  is  simply  the  product  of  the 
rel iabi 1 ities  of  the  N  subsystems: 


25 


(4.3) 


R(t)  =  7 Y  Ri(t) 


i  3  1 


If  here  we  substitute  Equation  (4.1b)  we  obtain 


R(t)  =  Exp  /- 


where 


(4.4) 


—  T 

x(t)  *—*  t.j(t) 


(4.5) 


i  3  1 


The  failure  probability  becomes 


F(t)  3  1  -  Exp/- 


(4.5) 


Equation  (4.5)  gives  the  MTBF  of  the  total  system,  x(t),  as  a 
function  of  the  MTBF  of  the  subsystems,  Xj(t).  The  following  points 
are  worth  nothing. 

a.  The  MTBF  x(t)  is  time-dependent  because  the  MTBFs  x,(t) 
are  time-dependent.  If  the  MTBFs  of  all  subsystems  are  independent 
of  time,  then  Equation  (4.5)  is  reduced  to 


'1 

x0  X, 

i  3  1 


In  other  words,  complexity  in  itself  cannot  generate  time-dependence 
of  the  MT8F.  Therefore,  the  exponent  S  >  1  found  in  the  literature 
for  complex  systems  cannot  be  attributed  to  the  complexity  of  these 
systems. 

b.  Equations  (4.5)  and  (4.7)  display  the  characteristic 
feature  that  the  inverse  of  the  system  MTBF  is  the  sum  of  the 
inverses  of  the  subsystem  MTBF s .  This  feature  has  the  following 
consequence: 

Suppose,  one  subsystem,  say,  the  i  th  subsystem,  becomes  entirely 
unreliable,  that  is,  x-j  =  0.  Then  1/xj  becomes  infinite.  Then, 
according  to  Equations  (4.5)  and  (4.7),  l/x(t)  or  1/tu  becomes 
infinite.  Then,  x(t)  or  xq  become  zero,  that  is,  the  total  system 
becomes  entirely  unreliable.  In  other  words,  the  system  is  only  as 
reliable  as  its  least  reliable  subsystem,  as  a  chain  is  only  as 
strong  as  its  weakest  link.  For  more  details  on  this  subject,  the 
reader  should  consult  Reference  1. 

c.  Every  MTBF,  by  definition,  is  nonneyative.  It  then 
follows  from  Equations  (4.5)  and  (4.7)  that,  with  increasing 
complexity,  that  is,  with  increasing  N,  the  MTBF  of  the  total  system 
decreases.  In  other  words,  the  higher  the  complexity  of  the  system, 
the  lower  its  reliability,  and  the  higher  its  failure  probability. 
Figure  4-1  illustrates  this  fact  for  the  failure  probability  F(t) 
and  various  values  of  the  system  complexity  index  N. 

d.  If  the  subsystems  have  different  criticality  w.r.t.  the 
system.  Equations  (4.5)  and  (4.7)  are  to  be  modified  as  follows: 


27 


FIGURE  4-1:  Increasing  Failure  ProbaDility  with  Increasing  Complexity 


N 

xi  (t) 

i  *  1 


(4.3a) 


N 


i  *  1 


(4.8b) 


Here  the  C,  are  the  "measures  of  criticality"  which  are  subject  to 
the  following  condition: 


0  i  Ci  <  I 


(4.4) 


The  measures  of  criticality  act  as  "weights",  that  is,  the  larger 
Ci ,  the  higher  is  the  criticality  of  the  i  th  subsystem.  ”he  extra ne 

cases  are: 

=  0:  i  th  subsystem  completely  dispensable 

C-j  =  1:  i  th  subsystem  totally  indispensable 

If  all  subsystems  are  totally  indispensable,  we  have 

C,  =  1  ( i  *  1 ,  2 ,  .  .  N)  (4. Ill) 

In  many  practical  applications,  Ci  is  the  fraction  of  the  time 
during  which  proper  functioning  of  the  i  th  subsystem  is  required 
for  proper  functioning  of  the  total  system.  In  these  cases,  the  Ci 
are  "system  oriented".  The  Ci  may  also  be  "mission  oriented"  or 
"system  and  mission  oriented".  For  more  details,  the  reader  should 
consult  deference  1. 


5.  REDUNDANCY 


Now  turning  to  redundancy,  we  exclude  complexity  in  the  present 
section,  but  we  shall  combine  complexity  and  redundancy  in  Section 
6.  However,  it  will  now  be  necessary  to  exclude  Type  2  systems. 

If  we  did  not  exclude  these  systems,  then  certain  integrals  could 
no  longer  be  solved  in  closed  form.  This  would  render  the  present 
section  so  opaque  that  more  would  be  lost  than  gained.  However, 
this  does  not  render  the  present  section  useless  in  situations 
where  it  is  desirable  to  combine  Type  2  systems  with  redundancy, 
since  the  mathematical  methods  developed  in  this  section  may  still 
serve  as  a  guide  in  those  situations. 

The  redundancy  r  may  assume  nonnegative  integer  values  including 
zero.  If  a  subsystem  has  redundancy  r,  then  there  are  r  spares, 
that  is,  r  +  1  subsystems  of  the  same  kind. 

To  analyze  the  effect  of  subsystem  redundancy  on  the  total 
system,  we  make  one  important  operational  assumption: 

The  first  subsystem  spare  starts  operations  when  the  original 
subsystem  fails.  The  second  spare  starts  operations  when  the  first 
fails,  and  so  forth.  This  assumption  excludes  external  influences 
such  as  a  hostile  environment  where  all  subsystems  may  be  killed  at 
the  same  time. 

The  analysts  problem  may  then  be  formulated  as  follows: 

Given  a  "multitude"  of  r  +  1  equal  subsystems  (redundancy 
r) ,  calculate  the  probability  that  the  multitude  wi 1 1  fail  within 
the  time  t. 


For  r  =  0,  we  already  know  the  answer: 


V 
s’ 

V 

y 

in 


f, 

r! 


31 


iVt'/X 


CM 


**  -c-.  M.'Vvi  c  v"  •jVir.Ar.  vi  va  .wv.V.VA  AV- .v/' 


F(t/0)  *  1  -  Exp<  -  - 


(5.1) 


Here,  F(t/0)  is  the  failure  probability  for  a  multitude  of  redundancy 
zero. 

Next  we  calculate  the  failure  probability  for  a  multitude  of 
redudancy  one,  F(t/1).  We  now  have  two  subsystems  of  the  same 
kind.  The  spare  begins  operations  when  the  original  fails.  Tor 
the  calculation  of  F(t/1),  we  now  recall  the  infinitesimal 
probability  dF(t)  from  Equation  (2.14).  With  the  aid  of  this 
probability,  we  can  say  the  following: 

The  probability  that  the  original  subsystem  fails  at_  the 
time  t^  is 


1  J  M 

dF(t]_)  =  -  Exp  < - >  dti 


If  we  multiply  this  with  the  probability 


(5.2) 


F(t  -  t]_)  =  1  -  Exp 


t  -  tx 


(5.3) 


we  obtain  the  joint  probability  that  the  first  subsystem  will  fail 
at  the  time  tj,  and  the  second  will  fail  within  the  time  from  t^  to 
t  (t  >  t^).  And  if  we  then  integrate  over  t^  from  zero  to  t,  we 
obtain  the  probability  that  the  multitude  of  two  will  fail  within 
the  time  from  zero  to  t: 


F  ( t  / 1 ) 


■■J 


■4?)  — 


(5.4) 


32 


This  becomes 


F(t/1) 


*;/  ^(-7)^-;  *"(-;)/ 

0  0 


And  this  becomes 


F(t/1)  -  1  -  (  1  +  -  ]  Exp  (  -  - 


This  is  the  failure  probability  for  a  multitude  of  redundancy  1. 
The  discussion  will  be  postponed  to  the  end  of  this  section. 

Now  turniny  to  redundancy  2,  we  have  three  factors: 


1  /  *1  \ 

dF(t^)  =  -  Exp  (  -  —  )  dtj 


dF(t?  -  t^)  =  -  Exp  - 

x  \  t 


t2  -  tx 


F(t  -  t?)  *  1  -  Exp 


t  -  t? 


These  equations  display  the  assumption  that  the  second  subsystem 
starts  operations  when  the  first  fails,  and  the  third  suDsystem 
starts  operations  when  the  second  fails. 


We  now  have 


t?  t 


F(t/2) 


■3  /  f-n 


ti  =  o  t2  =  o 


t?  - 


;  I 


1  -  Exp  - 


This  becomes 


t  -  t2 


dt^  dt2 


tp  t 


F(t/2)  -  ^  f  /  Exp^  -  —  ^  dt^  dt2 


t]_  =  0  t2  =  0 


i  Exp(- ; 


t?  t 


/ 


dt}  dt2 


ti  =  0  t2  =  0 


Now  performing  tie  integration  in  t\ ,  we  obtain 


(5.8) 


(5.<?) 


F(t/2)  =  —  J”  £xp^ - :  jt2  dt2  -  — 


:xp  j  -  -  J  /  t2  dt2  (5.10) 

T 

t 

0 


Here,  the  second  integral  is  straightforward .  To  prepare  the 
solution  of  the  first  integral,  we  employ  a  method  similar  to  the 
one  expounded  in  Section  2.  To  that  end,  we  define: 


(5. lla) 


34 


( 5 . 1 1  o ) 


‘l:t)  •  I Exp  ('  ~)'1 


With  the  aid  of  definition  (5.11b),  Equation  (5.10)  may  then  be 
written  as  follows: 


(5.12) 


We  now  have  to  calculate  I]_(t).  To  that  end,  we  first  observe 
that  Iq( t )  is  straightforward  and  yields 


(5.13) 


Iq(  t)  =  T  /  1  -  Exp  —  j J 

By  differentiation  w.r.t.  t,  we  then  get 


=  1  -  Exp 


;) ' ; Ex?  ('  i 


(5.14) 


On  the  other  hand,  di fferentiation  of  (5.11a)  w.r.t.  yields: 


S  ■  a  /  » (•  t)  -  - 


Because  of  (5.11b),  this  reads 


(5.15) 


31.)  1 

—  -  -  h  (t) 

3t 


(5.15) 


Combination  of  Equations  (5.14)  and  (5.15)  then  yields 


Ii(t)  *  T2  1 1  -  Exp(  -  -  V\  -  It  Exp/  -  - 


(5.17) 


And  if  this  is  substituted  into  Equation  (5.12),  we  obtain 


t  1  /  t  \  2^  ft 

F( t/2)  =<1  -  1  +  -  +  —(-  )  )  Exp  [  -  - 

t  2!V  t  /  (  V  x 


(5.18) 


This  is  the  failure  probability  for  multitudes  of  redundancy  two. 

In  this  way,  we  may  continue  and  obtain  the  general  formula  for 
multitudes  of  redundancy  r: 


F ( t/r )  *  1  -  Q(tjr)  Exp^-  - 
where  the  function  Q(t/r)  is  defined  as  follows: 


(5.19a) 


Q(t/r) 


■E  =(! 


(5.19b) 


k  =  o 


The  corresponding  reliability  is 


R(t/r)  *  Q(t/r)  Exp 


(5.19c) 


We  now  turn  to  the  discussion  of  these  results.  We  first  observe 
that  redundancey  does  not  lead  to  the  exponent  S  >  1,  but  leads  to  the 
characteristic  functions  0(t/r)  which  multiply  the  exponential 


36 


p 


And  since  the  functions  Q( t/r)  are  larger  than  one,  it  follows  in 
conjunction  with  Equations  (5.19a)  and  (5.19c)  that  redundancy 
reduces  the  failure  probability  and  increases  the  reliability. 
Since  according  to  Equation  (5.19b)  all  terms  of  Q(t/r)  are  positi 
it  also  fol lows  that 


Q( t/r  +  1)  >  Q(t/r) 


(5.2C 


It  then  follows  in  conjunction  with  Equation  (5.18a)  that 


F(t/r  +  1)  <  F( t/r) 


(5.21 


This  means  that  the  multitude  with  the  hiyher  redundancy  has  the 
smaller  failure  probability.  This  is  illustrated  in  Figure  5-1. 


FIGURE  5-1:  Failure  Prooabi 1 ities  of  Multitudes 
of  Various  Redundancies 


■-■'V 


It  is  interesting  to  consider  the  case  r  =  od,  although  it  does 
not  have  much  practical  importance.  We  then  have 


0(  t/  oo) 


■eh:) 

k  =  0 


(5.22) 


Here  we  note  that  this  is  the  Taylor  development  of  Exp  [  + 


Hence  we  have 


F ( t/ oo)  3  1  -  Exp  (  +  -  ^  Exp  (  — 


which  becomes 


F(t/oo)  *  0  (5.23) 

As  one  should  expect,  infinite  redundancy  reduces  the  failure 
probability  to  zero. 


'V.W  * 


,■  ■  rji  • 


: \ f  \5 fc..<Lv> 4j=  fei.  fc*'.  </Tf?vtK  i* ’ _#KV#»'  **i »'-»  **»  Vt* #'v. '4s1 .  ■> ^pt  ».< '-■%  ' 


.  COMPLEXITY  ANO  REDUNDANCY  COMBINED 


As  the  precediny  section,  the  present  section  is  restricted  to 
systems  of  Type  1.  We  consider  a  system  that  consists  of  N 
subsystems.  Each  subsystem  has  its  own  constant  MT8F  tj,  and  its 
own  redundancy  ri .  Hence  for  the  i  th  subsystem,  the  reliability 


has  the  form 


R(t/rj )  =  Q(  t/r-j )  Exp 


Q(t/n 


-  -I  s(U 


k  *  0 


The  reliability  of  the  total  system  is  then 


R(t/rj ,  r2 ,  ...»  r^j)  *  Q(t/r^,  r2,  •••»  Exp 


Q(t/ri,  r2,  ....  rn)  =  jj'  Q(t/rj) 


i  =  I 


il 

l~Z  - 

T  4— »  Tj 


1'  *  I 


(5.1a) 


(6.1b) 


(6.2a) 


(6.2b) 


(6.2c) 


.  r  iLt  w  1  »  j 


The  failure  probability  is 


F(t/ri,  r2  H )  =  1  -  R  (t/rit  r2 . n )  (5.3) 

The  reliability  and  redundancy  of  subsystems  are  to  a  certain 
extent  under  the  control  of  the  designer.  This  limited  flexibility 
may  be  used  to  trade  one  against  the  other.  For  example,  it  may  be 
advantageous  in  terms  of  weight,  volume,  or  cost,  to  trade  the 
redundancy  of  a  certain  subsystem  against  higher  reliability. 

Even  more  important  seems  to  be  the  following  subject.  Since 
the  total  system  is  only  as  reliable  as  its  least  reliable  subsystem 
multitude,  it  is  desirable  to  make  the  reliablities  of  all  subsystems 
multitudes  as  equal  as  possible.  In  so  doing,  one  may  either  save 
excess  redundancy  or  gain  total  system  reliability,  or  both.  How¬ 
ever,  since  the  redundancy  indices  r,  can  assume  only  integer  values, 
complete  equality  of  the  rel iabi 1 ities  of  all  subsystem  multitudes 
is  rarely  possible.  Nevertheless,  a  significant  degree  of  equal¬ 
ization  may  be  achieved  by  proper  selection  of  the  redundancy 
indices  rj ,  as  the  following  numerical  example  will  demonstrate. 

Suppose  the  subsystems  1  and  2  have  the  following  MTBFs: 

1^=1 .00  year  (5 .4a) 

t2  =  0.55  year  (6.4b) 

Also  suppose  that  the  user  of  the  system  is  most  interested  in  the 
period  of  operation 

t  =  1  year  (6.5) 

If  then  we  select  the  redundancy  indices 


rl  • 1 


( 5  .6a 


ro  *  2 


(6 .60 


the  correspondiny  reliabilities  of  the  subsystem  multitudes  assume 


the  values 


Rx( t/1)  =  0.736 


(5.7a) 


<Mt/2)  =  0.726 


16.70) 


These  equations  display  tne  far-reaching  equality  of  reliabilities 
which  we  announced.  If  we  selected  redundancy  indices  different 
from  the  values  (5.6a)  and  (5.6b),  the  corresponding  reliabilities 
Rl ( t/ r )  and  R^U/^)  would  0e  substantially  different  from  eacn 


other. 


'•Vf.'-.'.V. 


l—N  *, . '  iV  —  A  Ja  J:  t  k 


I  •Jhli’ClWaHAV 


7.  RELATED  TOPICS 

Redundancy  is  applicable  not  only  to  subsystems,  but  to  complete 
systems  as  well.  For  example,  a  user  of  satellites  may  need  one 
satellite  in  orbit  at  all  times  during  an  extended  period  of  time. 

For  that  purpose,  he  has  a  certain  number  of  satellites  ready  to 
launch;  however,  to  limit  launch  cost  and  for  other  reasons,  he 
does  not  wish  to  have  more  than  one  satellite  in  orbit  at  any  given 
time.  Therefore,  at  the  time  zero,  he  launches  one  satellite. 

When  this  satellite  fails,  he  launches  the  next  one,  and  so  forth. 

Now  the  question  arises:  How  many  satellites  does  he  need  to 
provide  single  orbiting  satellite  coverage  for  the  time  period  from 
zero  to  t? 

To  calculate  this  number,  we  need  the  following  probabilities: 

E(t/r)  *  Probability  that  a  multitude  of  redundancy  r  will  be  reliable 
during  the  time  t,  but  a  multitude  of  redundancy  (r  -  1) 
will  fail 

We  refer  to  these  reliabilities  as  the  "exclusive  reliabilities". 

The  exclusion  is  that  part  of  the  definition  which  we  underlined. 
Whereas  the  ordinary  reliability  R(t/r)  does  not  exclude  the 
reliability  of  a  multitude  of  redundancy  (r  -  1),  the  exclusive 
reliability  E(t/r)  expressly  makes  this  exclusion. 

The  exclusive  reliabilities  E(t/r)  and  E(t/r  -  1)  are  mutually 
exclusive  since  E(t/r)  excludes  the  reliability  of  a  multitude  of 
redundancy  (r  -  1)  whereas  E{t/r  -  1)  assumes  reliability  of  the 
same  multitude.  An  immediate  consequence  of  this  fact  is  that 


Isv.--  -v 


I ' 

r  =  0 


(t/r)  =  1 


(7.1) 


This  equation  which  presently  follows  from  purely  logical  considerations 
will  have  to  be  confirmed  later  when  the  functions  E(t/r)  are  known. 

With  the  aid  of  the  exclusive  probabi 1 ities ,  we  may  now  calculate 
the  number  of  satellites  needed.  To  this  end,  we  define: 

<r/t>  *  Expected  required  redundancy  to  cover  the  time  period  t. 

Clearly,  this  is  the  number  wanted,  and  it  is  given  by  the  equation 


<r/t> 


k  E(t/k) 


(7.?.) 


k  *  0 


Since  the  first  term  of  the  sum  is  zero,  we  may  also  write 


<r/t> 


•I 


k  E(t/k) 


(7.3) 


k  =  1 


We  now  have  to  calculate  the  exclusive  reliabilities  E(t/k) . 

To  that  end,  we  turn  to  the  ordinary  reliabilities  R(t/r)  shown  in 
Figure  7-1  for  various  values  of  r. 


r-  2  r  -  l  r 


CD 


FIGURE  7-2:  Venn  Diagram  of  Reliabilities  R(t/r) 


45 


i 

I 

t 


When  compared  witn  the  Figure  7-1,  the  Venn  Figure  7-2  has  the 
disadvantage  that  it  does  not  show  the  influence  of  the  time,  but 
tne  advantage  that  it  does  show  the  inclusiveness  and  exclusiveness 
of  certain  probabilities,  as  will  now  be  discussed. 

To  explain  the  Venn  diagram,  we  first  recall  that  R(t/oo  )  =  1. 
In  view  of  this  fact,  it  is  advantageous  (though  not  compelling) 
to  define  the  content  of  the  maximal  rectangle  (ADEH)  of  Figure  7-2 
to  be  one.  We  then  have 


R(t/oo)  =  Area  ( ADEH)  =  1 


(7.4) 


All  other  reliabilities  are  then  represented  by  areas  rather  than 
ratios  of  areas.  We  have  for  example. 


R(t/r)  =  Area  ( ACFH) 


(7.5a) 


R(t/r  -  1)  *  Area  (4BGH) 


(7.5b) 


But  the  same  areas  also  represent  propositions  (or  sets) 
propositions  are: 

A  multitude  of  redundancy  r 
(ACFH)  =  will  be  reliable  within  the 
time  interval  t 

A  multitude  of  redundancy  r-1 
(ABGH)  =  wi 1 1  be  reliable  within  the 
time  interval  t 


These 


From  these  definitions  as  well  as  from  the  Venn  diagram,  it  is 
obvious  that  the  proposition  (ABGH)  implies  the  proposition  (ACFH), 
that  is. 


( ABGH)  <=  (ACFH) 


(7.6) 


In  the  language  of  set  theory,  tnis  relation  reads:  Set  (ABGH)  is 
a  proper  subset  of  set  (ACFH).  The  corresponding  relation  in 
terms  of  probabilities  is 

R(t/r  -  1)  <  R(t/r)  (7.7) 

Next  we  observe  that  (ACFH)  is  the  union  of  (ABGH)  and  (8CFG),  that 
is, 

(ACFH)  =  (ABGH)  (1  (8CFG)  (7.3) 

It  can  also  be  seen  that  the  two  propositions  at  the  right  side  of 
relation  (7.8)  are  mutually  exclusive,  that  is, 

(ABGH)  U  (BCFG)  *  0  (7.9) 

Here  0  is  the  impossible  or  contradictory  proposition,  or  the  null 
set. 


It  now  follows  from  relations  (7.8)  and  (7.9)  that 

Prob  (ACFH)  =  Prob  (ABGH)  +  Proo  (BCFG)  (7.10) 

Here  the  probability  at  the  left  side  and  the  first  probability  at 
the  right  side  are  already  known  by  virtue  of  Equations  (7.5a)  and 
(7.5b).  Hence  we  only  have  to  interprete  the  Prob  (BCFG).  But 
this  is  clearly  the  exclusive  reliability  E( t/r) : 

E(t/r)  *  Prob  (8CFH)  (7.11) 

If  now  relations  (7.5a),  (7.5b),  and  (7.11)  are  substituted  into 
Equation  (7.10),  we  obtain 


E(t/r)  =  R(t/r)  -  R(t/r  -  1) 


(7.12) 


Obviously,  this  relation  applies  to  all  values  of  r  except  r  =  0. 

But  from  logical  arguments  or  from  Figure  7-2,  it  easily  follows  that 


E(t/0)  =  R(t/0) 


(7.13) 


Since  the  ordinary  reliabilities  R(t/r)  are  already  known. 
Equations  (7.12)  and  (7.13)  offer  an  easy  way  to  calculate  the 
exclusive  reliabilities  E(t/r).  But  before  we  carry  this  out,  we 
form  the  sum  of  all  E(t/r)  from  zero  to  infinity.  Equations  (7.12) 
and  (7.13)  then  yield 


E(t/k)  =  R( t/0) 


k  =  0 


+  R(t/1)  -  R( t/0) 


+  R( t/2)  -  R( t/1) 


It  is  not  difficult  to  see  that  this  reduces  to 


E(t/k)  =  R( t/oo  )  =  1 


k  *  0 


This  confirms  our  previous  relation  (7.1). 

To  calculate  E( t/r) ,  we  substitute  Equation  (5.13c)  into  Equation 
(7 .12) .  This  yields 


Evt.T)  =  iQU/r)  -  lU/r  -  i)}  Exp 


If  hera  we  need  Equation  (5.18b),  we  get 


EU/r) '  7T  GI E4 ! 


(7.15) 


This  equation  defines  all  functions  E(t/r)  from  r  =  0  to  infinity, 
[f  we  form  once  again  the  sum  of  all  E(t/r),  we  yet 


E(t/k)  =  Exp 


k  ■  0 


1  /  t 


k  =  0 


kl V  i 


And  this,  once  again,  confirms  relation  (7.1). 

We  are  now  ready  to  calculate  the  expected  required  redundancy 
<r/t>.  Substitution  of  Equation  (7.14)  into  Equation  (7.3)  yields 


<r/t> 


-(-))£  i0 

k  =  1 


(7.15) 


This  becomes 


<r« y  —  r. 

\  T  /  t  Z__ r  (k  -  1) !  \  X 

k  *  1 


k  -  1 


(7.17) 


vV>  -V 


49 


Here  we  consider  the  Taylor  development 


00 


Exp  + 


Ei  /  t 

in! 

m  =  0 


With  the  substitution 

m  =  k  -1 

Equation  (7.13)  assumes  the  form 

k  =  1 


If  this  is  substituted  into  Equation  (7.17),  we  get 
t 

<r/t>  =  - 

As  a  numerical  example,  we  consider 
t  =  10  years 
i*l  year 

It  then  follows  that 

<r/10>  »  10 

Hence  the  user  needs  10  satellites,  one  for  every  year. 


(7.13) 


(7.19) 


(7.20) 


(7.21) 


(7.22a) 

(7.22b) 


(7.23) 


50 


A  slightly  different  way  of  addressing  the  same  problem  is  to 
calculate  the  MTRF  of  a  multitude  of  redundancy  r.  The  definition  is 


MT3F(r) 


oo 

t  dF(t/r) 

0 


(7.23) 


Here  dF(t/r)  is  tne  differential  of  the  failure  probability  F ( t / r ) 
defined  by  Equations  (5.18a)  and  (5.18b).  From  Equation  (5.13a), 
we  obtain 


t  \  dt 

dF(t/r)  =  Q(t/r)  Exp  j  -  -  j - Exp^-  -jdQ(t/r) 


-  Wt/r) 


(7.24) 


To  form  the  differential  dQ(t/r),  we  write  Equation  (5.18b)  in  the 
equivalent  form 


T';(l 


Q(t/r)  =  1  + 


(7.25) 


m  =  1 


The  differential  then  assumes  the  form 


dQ( t/r) 


Z1  /  t  \m_1  dt 

(m  -  1) ! \  t  /  t 


m  =  1 


(7.26) 


Substitution  of  Equations  (5.18b)  and  (7.26)  into  Equation  (7.24) 
then  yields 


% 


1 


Here,  under  the  first  summation  siyn  in  the  paranthesis,  we  make 


the  substitution 


k  *  m  -  1 


We  then  obtain 


dF(t/r)  * 


r  +  1 


(7.2 3) 


(m  -  1 ) !  V  T  /  (m  -  1) !  \  x  / 

m  a  1  m  a  1 


This  reduces  to 


ro  -  1  /  t  \  dt 

H'wt 

% 

(7.29) 


(7.30) 


If  now  Equation  (7.30)  is  substituted  into  Equation  (7.23),  we  obtain 


MTBF(r) 


L_i_  f 

r!xr  +  lJ  \  x/ 


(7.31) 


Here  we  recall  the  moments  defined  by  Equation  (2.20).  Equation 
(7.31)  then  assumes  the  form 


MT3F{r)  = 


Mr  +  1 
»i  Tr  +  1 


(7.32) 


We  now  see  that  we  need  Mr  +  j .  To  that  end,  we  recall  Equation 
(2.26)  which  reads 


'Hi  =  X" 


(7.33) 


3y  differentiation  of  Equations  (2.21b)  and  (7.33)  w.r.t.  x,  we 
then  yet 


=  L  f  e  -  t/T  t2 

3T  x2  J 


(7.34a) 


*  2  x 


(7.340) 


It  then  follows  in  conjunction  with  Equation  (2.20)  for  n  =  2  tnat 

i'i?  *  2  X3  (7.35) 

In  this  way,  we  may  continue  and  calculate  all  higher  moments. 

This  leads  to  the  followiny  series: 


"0  ■  L 


M2  =  2x3 
M3  -  6t4 
M4  =  24X5 


(7.36) 


O  O 

o  o 

o  o 

Mn  =  n!  xn  +  1 
Hence  we  have 

Mn  +  !  *  (n  +  1)!  x"  +  2  (7.37) 

Substitution  of  (7.37)  into  (7.32)  then  yields 

MTBF(r)  *  (r  +  1) t  (7.38) 

Hence  we  have  the  series 

One  Sat:  MTBF  (0)  -  t 

Two  Sats:  MTBF  (1)  =  2x 

Three  Sats:  MTBF  (2)  *  3x 


and  so  forth.  This  shows  that  each  satellite  increases  the  MTBF  of 
the  multitude  by  one  x. 


8.  SUMMARY 


1.  Complexity  and  criticality  go  hand  in  hand.  If  a  system  is 
complex,  and  if  all  subsystems  are  equally  critical,  the  inverse  of 
the  system's  MTBF  equals  the  sum  of  the  inverses  of  the  subsystem's 
MTBFs,  as  shown  by  Equations  (4.5)  and  (4.7). 

2.  If  the  subsystems  have  different  criticalities,  the  inverse 
of  each  subsystem  MTBF  is  weighted  by  a  measure  of  criticality  Cj, 
as  shown  in  Equations  (4.8a),  (4.8b),  and  (4.9). 

3.  Redundancy  of  subsystems  is  mathenatical ly  described  by  the 
functions  Q( t/ r ^ )  of  Equation  (6.1b)  where  r^  is  the  redundancy  of 
the  i  th  subsystem.  These  functions  multiply  the  exponentials  which 
constitute  the  reliabilities,  as  shown  in  Equations  (6.1a),  (6.2a), 
and  (6.2b). 

4.  The  reliability  of  a  subsystem  multitude  depends  on  both 
the  subsystem  redundancey  and  the  single  subsystem  reliability.  One 
can  trade  one  against  the  other  without  affecting  the  reliability  of 
the  multitude.  If  the  reliabilities  of  the  single  subsystems  are 
given,  one  can  equalize  the  reliabilities  of  the  multitudes  by  proper 
selection  of  redundancies.  In  this  way,  one  can  either  save  excess 
subsystem  redundancy,  or  gain  total  system  reliability,  or  both. 

5.  Fatigue  is  the  cause  of  failure.  It  is  realistically 
described  by  an  exponent  8  >  1  in  equations  such  as  (3.1a)  and 
(3.2a).  A  mathematically  equivalent  description  is  the  time 
dependent  MTBF  of  Equations  (3.2a)  and  (3.2b).  Systems  which  have 
these  characteristics  display  the  signs  of  aging  by  the  fact  that 
the  reliability  from  now  into  the  future  decreases  as  the  combined 
duration  of  past  operation  increases,  as  shown  in  relation  (3.21) 
and  Figure  3-4B. 


6.  We  believe  that  the  subjects  of  complexity,  criticality, 
and  redundancy  are  virtually  exhausted;  but  the  subject  of  fatigue 
is  far  from  being  exhausted.  What  is  needed  is  a  concerted  effort 
to  generate  more  experimental  data  and  to  subject  them  to  rigorous  1 

mathematical  analysis. 


!t 

ft 

b 

l 

i 


t 


<•  •Iv'tVAVi 


m 


>v> 


